Rethinking rsa encryption of license keys
Dr. Hawkins
dochawk at gmail.com
Tue May 14 18:09:14 EDT 2013
On Tue, May 14, 2013 at 2:08 PM, kee nethery <kee at kagi.com> wrote:
> You embed your public RSA key into your app.
> You pick a random symmetrical key and encrypt your payload using that key.
> You encrypt the random symmetrical key with your private RSA key.
> You append the encrypted random key to your encrypted payload and send
> that to the customer.
> You extract the encrypted random symmetrical key from the payload and
> decrypt it with your embedded public key.
> You take the decrypted random symmetrical key and use that to decrypt the
> payload.
>
Cryptography was never one of my areas of math--but doesn't this reduce the
total security to the security of the symmetrical key used? I thought that
the total encryption level was effectively limited to the weakest element
in the chain . . .
> This prevents someone from creating an unlock file that your app can
> decrypt and use. It does not prevent them from passing the file on to
> another user. To attempt to prevent them from passing an unlock payload to
> another user, you'll need to get something from the user and validate that
> against what is in the payload.
>
*That* is not a problem in my case :)
The main payload is the name, address, and bar number (law license), as
well as jurisdiction, of the licensed attorney.
You can't file much under another attorney's name. (But I red a discipline
case some time ago where an attorney got a sample document from another,
and had so little idea what he was doing that he started filing with the
other attorney's name still listed . . .)
--
Dr. Richard E. Hawkins, Esq.
(702) 508-8462
More information about the use-livecode
mailing list